Yes. The comment was restricted to internet-connected devices and in particular network and endpoint security safeguards.

Both Snowden and Manning got their information from systems to which they had been granted access. .Mil and IC targets are among the most hardened in the world, even if they were a bit lax about implementing fine-grained access control amongst their cleared personnel.

When 1% of the nation has similar levels of access as these two, I don't know that it's reasonable to exclude the sneakernet vuln.

Not to sidetrack the conversation too much, but I fully agree, and I'm sure those in the agencies do as well. It's a gap they're closing, with two-man rules etc.

3 million people have equivalent security clearances as Bradley Manning or even Edward Snowden? I'm going to guess that's a little high.

1% is actually a little low. According to a report provided to Congress, 4.2 million people have a clearance. 1.4 million of those are TS/SCI (Top Secret / Secret Compartmentalized Information), the level Snowden held.

Source: http://blogs.fas.org/secrecy/2011/09/clearances/

the key part of that is the C in SCI. an SCI merely means you've been pre-screened to be allowed access.

it still requires stakeholders delegating access to said individuals for different [sub]compartments.

Very true. However, when creating security policy, one should always keep in mind those that have permission to access information, rather than those that have actual access to information.

It's a nightmare to me that there could be 15 people that have actual access to information, but a random official in the chain of command could give any one of 1.4 million people access to it without any further vetting.

I suspect the process is a little more difficult than a random official granting access without vetting.

Note that there's a very large difference in clearances and access.

Snowden had a far higher level of access than Manning.